Merge pull request #406 from arthurscchan/fix-empty-content

loosebazooka · web-flow · commit 5e126a43830e · 2023-04-20T14:03:58.000-04:00
Fix: Fix possible Null Pointer Exception
diff --git a/sigstore-java/src/main/java/dev/sigstore/encryption/Keys.java b/sigstore-java/src/main/java/dev/sigstore/encryption/Keys.java
@@ -74,7 +74,9 @@ public static PublicKey parsePublicKey(byte[] keyBytes)
       throw new InvalidKeySpecException("Invalid key, could not parse PEM section");
     }
     // special handling for PKCS1 (rsa) public key
-    if ((section == null) || (section.getContent() == null)) {
+    // TODO: The length checking is not necessary after https://github.com/bcgit/bc-java/issues/1370
+    // has been merged. Remove it when bc-java is updated with the merge.
+    if ((section == null) || (section.getContent() == null) || (section.getContent().length == 0)) {
       throw new InvalidKeySpecException("Invalid key, empty PEM section");
     }
     if (section.getType().equals("RSA PUBLIC KEY")) {
diff --git a/sigstore-java/src/test/java/dev/sigstore/encryption/KeysTest.java b/sigstore-java/src/test/java/dev/sigstore/encryption/KeysTest.java
@@ -19,6 +19,7 @@
 
 import com.google.common.io.Resources;
 import java.io.IOException;
+import java.nio.charset.StandardCharsets;
 import java.security.NoSuchAlgorithmException;
 import java.security.NoSuchProviderException;
 import java.security.PublicKey;
@@ -208,6 +209,16 @@ void parsePkixPublicKey_ecdsa() throws NoSuchAlgorithmException, InvalidKeySpecE
     Assertions.assertNotNull(Keys.parsePkixPublicKey(Base64.decode(base64Key), "EC"));
   }
 
+  @Test
+  void parsePublicKey_failOnNullSection()
+      throws IOException, NoSuchAlgorithmException, NoSuchProviderException {
+    // This unit test is used to test the fix for a bug discovered by oss-fuzz
+    // The bug happens when a malformed byte array is passed to the method
+    // https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=57247
+    byte[] byteArray = "-----BEGIN A-----\nBBBBB-----END A".getBytes(StandardCharsets.UTF_8);
+    Assertions.assertThrows(InvalidKeySpecException.class, () -> Keys.parsePublicKey(byteArray));
+  }
+
   @Test
   void testGetJavaVersion() {
     assertEquals(1, Keys.getJavaVersion("1.6.0_23"));

Original file line number	Diff line number	Diff line change
`@@ -74,7 +74,9 @@ public static PublicKey parsePublicKey(byte[] keyBytes)`
`74`	`74`	`throw new InvalidKeySpecException("Invalid key, could not parse PEM section");`
`75`	`75`	`}`
`76`	`76`	`// special handling for PKCS1 (rsa) public key`
`77`		`- if ((section == null) \|\| (section.getContent() == null)) {`
	`77`	`+ // TODO: The length checking is not necessary after https://github.com/bcgit/bc-java/issues/1370`
	`78`	`+ // has been merged. Remove it when bc-java is updated with the merge.`
	`79`	`+ if ((section == null) \|\| (section.getContent() == null) \|\| (section.getContent().length == 0)) {`
`78`	`80`	`throw new InvalidKeySpecException("Invalid key, empty PEM section");`
`79`	`81`	`}`
`80`	`82`	`if (section.getType().equals("RSA PUBLIC KEY")) {`